Headline
CVE-2020-11081: osquery susceptible to DLL search order hijacking of zlib1.dll
osquery before version 4.4.0 enables a privilege escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation. This is fixed in version 4.4.0.
Impact
If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables local escalation.
Patches
The bug was introduced when building and linking OpenSSL with compression, which is not used. The PR #6433 removes this compile and linking option for the dependency.
Workarounds
This bug has security impact when a system has a user-writable PATH. This is not default and can be considered by-itself a weakening of the system security. The general guidance is to restrict writability of PATH to administrators similarly-privileged accounts.
References
Please see the issue and discussion #6426